Bug 176048 - buffer overflow in xscreensaver from rawhide
buffer overflow in xscreensaver from rawhide
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: xscreensaver (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Ray Strode [halfline]
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-18 06:49 EST by Andy Burns
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-23 22:30:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
gdb log of xscreensaver run as root (6.10 KB, text/plain)
2006-01-13 05:18 EST, Mamoru TASAKA
no flags Details
Patch for getgroups() in setuid.c (1.67 KB, patch)
2006-01-13 05:32 EST, Mamoru TASAKA
no flags Details | Diff

  None (edit)
Description Andy Burns 2005-12-18 06:49:43 EST
Description of problem:

starting xscreensaver results in a buffer overflow and backtrace

Version-Release number of selected component (if applicable):

all components updated to rawhide 20051218

How reproducible:

100%

Steps to Reproduce:
1. run xscreensaver
2.
3.
  
Actual results:

# xscreensaver
*** buffer overflow detected ***: xscreensaver terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x782415]
/lib/libc.so.6[0x783501]
xscreensaver[0x805a506]
xscreensaver[0x805ad3d]
xscreensaver[0x804e7be]
/lib/libc.so.6(__libc_start_main+0xdf)[0x6b862f]
xscreensaver[0x804be41]
======= Memory map: ========
003ff000-0040a000 r-xp 00000000 fd:00 113803980  /lib/libaudit.so.0.0.0
0040a000-0040f000 rw-p 0000b000 fd:00 113803980  /lib/libaudit.so.0.0.0
005fc000-00601000 r-xp 00000000 fd:00 1933370    /usr/lib/libXdmcp.so.6.0.0
00601000-00602000 rw-p 00004000 fd:00 1933370    /usr/lib/libXdmcp.so.6.0.0
00604000-00606000 r-xp 00000000 fd:00 1933369    /usr/lib/libXau.so.6.0.0
00606000-00607000 rw-p 00001000 fd:00 1933369    /usr/lib/libXau.so.6.0.0
00609000-00617000 r-xp 00000000 fd:00 1933373    /usr/lib/libXext.so.6.4.0
00617000-00618000 rw-p 0000d000 fd:00 1933373    /usr/lib/libXext.so.6.4.0
0061a000-00622000 r-xp 00000000 fd:00 1933368    /usr/lib/libSM.so.6.0.0
00622000-00623000 rw-p 00007000 fd:00 1933368    /usr/lib/libSM.so.6.0.0
00625000-0063b000 r-xp 00000000 fd:00 1933367    /usr/lib/libICE.so.6.3.0
0063b000-0063d000 rw-p 00015000 fd:00 1933367    /usr/lib/libICE.so.6.3.0
0063d000-0063e000 rw-p 0063d000 00:00 0
00647000-0065d000 r-xp 00000000 fd:00 1933374    /usr/lib/libXmu.so.6.2.0
0065d000-0065e000 rw-p 00015000 fd:00 1933374    /usr/lib/libXmu.so.6.2.0
0065e000-0065f000 rw-p 0065e000 00:00 0
00686000-0069f000 r-xp 00000000 fd:00 113803736  /lib/ld-2.3.90.so
0069f000-006a0000 r--p 00018000 fd:00 113803736  /lib/ld-2.3.90.so
006a0000-006a1000 rw-p 00019000 fd:00 113803736  /lib/ld-2.3.90.so
006a3000-007c9000 r-xp 00000000 fd:00 113803737  /lib/libc-2.3.90.so
007c9000-007cb000 r--p 00125000 fd:00 113803737  /lib/libc-2.3.90.so
007cb000-007cd000 rw-p 00127000 fd:00 113803737  /lib/libc-2.3.90.so
007cd000-007cf000 rw-p 007cd000 00:00 0
007d1000-007d3000 r-xp 00000000 fd:00 113803948  /lib/libdl-2.3.90.so
007d3000-007d4000 r--p 00001000 fd:00 113803948  /lib/libdl-2.3.90.so
007d4000-007d5000 rw-p 00002000 fd:00 113803948  /lib/libdl-2.3.90.so
007fe000-0084f000 r-xp 00000000 fd:00 1933372    /usr/lib/libXt.so.6.0.0
0084f000-00853000 rw-p 00050000 fd:00 1933372    /usr/lib/libXt.so.6.0.0
0086d000-00878000 r-xp 00000000 fd:00 113803434  /lib/libpam.so.0.81.1
00878000-00879000 rw-p 0000a000 fd:00 113803434  /lib/libpam.so.0.81.1
008c7000-008ce000 r-xp 00000000 fd:00 52663438   /usr/lib/libXrender.so.1.3.0
008ce000-008cf000 rw-p 00007000 fd:00 52663438   /usr/lib/libXrender.so.1.3.0
008d1000-008d3000 r-xp 00000000 fd:00 52669018   /usr/lib/libXinerama.so.1.0.0
008d3000-008d4000 rw-p 00001000 fd:00 52669018   /usr/lib/libXinerama.so.1.0.0
008d6000-008d9000 r-xp 00000000 fd:00 52669392   /usr/lib/libXrandr.so.2.0.0
008d9000-008da000 rw-p 00002000 fd:00 52669392   /usr/lib/libXrandr.so.2.0.0
008ef000-008f9000 r-xp 00000000 fd:00 113803438  /lib/libgcc_s-4.1.0-20051214.so.1
008f9000-008fa000 rw-p 00009000 fd:00 113803438  /lib/libgcc_s-4.1.0-20051214.so.1
0090f000-00913000 r-xp 00000000 fd:00 52661885   /usr/lib/libXxf86vm.so.1.0.0
00913000-00914000 rw-p 00003000 fd:00 52661885   /usr/lib/libXxf86vm.so.1.0.0
00b37000-00b39000 r-xp 00000000 fd:00 52665389   /usr/lib/libXxf86misc.so.1.1.0
00b39000-00b3a000 rw-p 00002000 fd:00 52665389   /usr/lib/libXxf86misc.so.1.1.0
00b57000-00b60000 r-xp 00000000 fd:00 113803305  /lib/libnss_files-2.3.90.so
00b60000-00b61000 r--p 00008000 fd:00 113803305  /lib/libnss_files-2.3.90.so
00b61000-00b62000 rw-p 00009000 fd:00 113803305  /lib/libnss_files-2.3.90.so
00f18000-00f19000 r-xp 00f18000 00:00 0          [vdso]
03083000-03173000 r-xp 00000000 fd:00 1933371    /usr/lib/libX11.so.6.2.0
03173000-03177000 rw-p 000f0000 fd:00 1933371    /usr/lib/libX11.so.6.2.0
04dee000-04df3000 r-xp 00000000 fd:00 113803979  /lib/libcrypt-2.3.90.so
04df3000-04df4000 r--p 00004000 fd:00 113803979  /lib/libcrypt-2.3.90.so
04df4000-04df5000 rw-p 00005000 fd:00 113803979  /lib/libcrypt-2.3.90.so
04df5000-04e1c000 rw-p 04df5000 00:00Aborted

Expected results:

xscreensaver starts correctly

Additional info:

this was working on rawhide from 2-3 days ago.
using xorg radeon driver on PCIe X550 + DVI monitor
Comment 1 Andy Burns 2006-01-05 20:41:50 EST
Still crashes with updated rawhide, but I have discovered it only crashes when
xscreensaver is run as root, which is a bad thing to do anyway, however it did
previously warn you how bad an idea it is to run as root instead of crashing ...

Comment 2 Mamoru TASAKA 2006-01-13 05:18:08 EST
Created attachment 123156 [details]
gdb log of xscreensaver run as root

Hello.

Andy's comment that "SEGV if run as root" perhaps made the 
problem of this issue clearer.
Always reproducible for me if run as root, too. See the gdb log
attached.
Comment 3 Mamoru TASAKA 2006-01-13 05:32:10 EST
Created attachment 123157 [details]
Patch for getgroups() in setuid.c

SEGV is called by getgroups() in set_ids_by_number() in 
driver/setuid.c (see around the line 180).

sizeof(groups) returns 4*1024=4096! (not 1024), which must be
divided by sizeof(gid_t).
This patch is to give the correct value to getgroups() in 
setuid.c.
Comment 4 Andy Burns 2006-01-23 16:45:06 EST
checking with system updated to rawhide 2006-01-23

xscreensaver 1:4.23-1 

works ok as non root, but daemon still crashes as root

*** buffer overflow detected ***: xscreensaver terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x3d5bbdca4f]
/lib64/libc.so.6[0x3d5bbddd1e]
xscreensaver[0x41231a]
xscreensaver[0x412abb]
xscreensaver[0x40797c]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3d5bb1cde4]
xscreensaver[0x405559]
======= Memory map: ========
00400000-00434000 r-xp 00000000 fd:00 25401151                          
/usr/bin/xscreensaver
00533000-00535000 rw-p 00033000 fd:00 25401151                          
/usr/bin/xscreensaver
00535000-00559000 rw-p 00535000 00:00 0                                  [heap]
3d23400000-3d23405000 r-xp 00000000 fd:00 25401201                      
/usr/lib64/libXxf86vm.so.1.0.0
3d23405000-3d23504000 ---p 00005000 fd:00 25401201                      
/usr/lib64/libXxf86vm.so.1.0.0
3d23504000-3d23505000 rw-p 00004000 fd:00 25401201                      
/usr/lib64/libXxf86vm.so.1.0.0
3d5b900000-3d5b919000 r-xp 00000000 fd:00 93389020                      
/lib64/ld-2.3.90.so
3d5ba19000-3d5ba1a000 r--p 00019000 fd:00 93389020                      
/lib64/ld-2.3.90.so
3d5ba1a000-3d5ba1b000 rw-p 0001a000 fd:00 93389020                      
/lib64/ld-2.3.90.so
3d5bb00000-3d5bc2f000 r-xp 00000000 fd:00 93389021                      
/lib64/libc-2.3.90.so
3d5bc2f000-3d5bd2f000 ---p 0012f000 fd:00 93389021                      
/lib64/libc-2.3.90.so
3d5bd2f000-3d5bd33000 r--p 0012f000 fd:00 93389021                      
/lib64/libc-2.3.90.so
3d5bd33000-3d5bd34000 rw-p 00133000 fd:00 93389021                      
/lib64/libc-2.3.90.so
3d5bd34000-3d5bd39000 rw-p 3d5bd34000 00:00 0
3d5c000000-3d5c002000 r-xp 00000000 fd:00 93389022                      
/lib64/libdl-2.3.90.so
3d5c002000-3d5c102000 ---p 00002000 fd:00 93389022                      
/lib64/libdl-2.3.90.so
3d5c102000-3d5c103000 r--p 00002000 fd:00 93389022                      
/lib64/libdl-2.3.90.so
3d5c103000-3d5c104000 rw-p 00003000 fd:00 93389022                      
/lib64/libdl-2.3.90.so
3d5c600000-3d5c605000 r-xp 00000000 fd:00 25418995                      
/usr/lib64/libXdmcp.so.6.0.0
3d5c605000-3d5c704000 ---p 00005000 fd:00 25418995                      
/usr/lib64/libXdmcp.so.6.0.0
3d5c704000-3d5c705000 rw-p 00004000 fd:00 25418995                      
/usr/lib64/libXdmcp.so.6.0.0
3d5ca00000-3d5caf9000 r-xp 00000000 fd:00 25418996                      
/usr/lib64/libX11.so.6.2.0
3d5caf9000-3d5cbf9000 ---p 000f9000 fd:00 25418996                      
/usr/lib64/libX11.so.6.2.0
3d5cbf9000-3d5cc00000 rw-p 000f9000 fd:00 25418996                      
/usr/lib64/libX11.so.6.2.0
3d5cd00000-3d5cd02000 r-xp 00000000 fd:00 25418994                      
/usr/lib64/libXau.so.6.0.0
3d5cd02000-3d5ce01000 ---p 00002000 fd:00 25418994                      
/usr/lib64/libXau.so.6.0.0
3d5ce01000-3d5ce02000 rw-p 00001000 fd:00 25418994                      
/usr/lib64/libXau.so.6.0.0
3d5d100000-3d5d10f000 r-xp 00000000 fd:00 25418997                      
/usr/lib64/libXext.so.6.4.0
3d5d10f000-3d5d20f000 ---p 0000f000 fd:00 25418997                      
/usr/lib64/libXext.so.6.4.0
3d5d20f000-3d5d210000 rw-p 0000f000 fd:00 25418997                      
/usr/lib64/libXext.so.6.4.0
3d5db00000-3d5db08000 r-xp 00000000 fd:00 25419010                      
/usr/lib64/libXrender.so.1.3.0
3d5db08000-3d5dc08000 ---p 00008000 fd:00 25419010                      
/usr/lib64/libXrender.so.1.3.0
3d5dc08000-3d5dc09000 rw-p 00008000 fd:00 25419010                      
/usr/lib64/libXrender.so.1.3.0
3d5e500000-3d5e502000 r-xp 00000000 fd:00 25419018                      
/usr/lib64/libXinerama.so.1.0.0
3d5e502000-3d5e601000 ---p 00002000 fd:00 25419018                      
/usr/lib64/libXinerama.so.1.0.0
3d5e601000-3d5e602000 rw-p 00001000 fd:00 25419018                      
/usr/lib64/libXinerama.so.1.0.0
3d5f500000-3d5f503000 r-xp 00000000 fd:00 25419020                      
/usr/lib64/libXrandr.so.2.0.0
3d5f503000-3d5f602000 ---p 00003000 fd:00 25419020                      
/usr/lib64/libXrandr.so.2.0.0
3d5f602000-3d5f603000 rw-p 00002000 fd:00 25419020                      
/usr/lib64/libXrandr.so.2.0.0
3d5f900000-3d5f917000 r-xp 00000000 fd:00 25403620                      
/usr/lib64/libXmu.so.6.2.0
3d5f917000-3d5fa16000 ---p 00017000 fd:00 25403620                      
/usr/lib64/libXmu.so.6.2.0
3d5fa16000-3d5fa18000 rw-p 00016000 fd:00 25403620                      
/usr/lib64/libXmu.so.6.2.0
3d5fb00000-3d5fb58000 r-xp 00000000 fd:00 25411002                      
/usr/lib64/libXt.so.6.0.0
3d5fb58000-3d5fc57000 ---p 00058000 fd:00 25411002                      
/usr/lib64/libXt.so.6.0.0
3d5fc57000-3d5fc5d000 rw-p 00057000 fd:00 25411002                      
/usr/lib64/libXt.so.6.0.0
3d5fc5d000-3d5fc5e000 rw-p 3d5fc5d000 00:00 0
3d61000000-3d6100f000 r-xp 00000000 fd:00 93389028                      
/lib64/libaudit.so.0.0.0
3d6100f000-3d6110e000 ---p 0000f000 fd:00 93389028                      
/lib64/libaudit.so.0.0.0
3d6110e000-3d61110000 rw-p 0000e000 fd:00 93389028                      
/lib64/libaudit.so.0.0.0
3d61500000-3d61509000 r-xp 00000000 fd:00 25419056                      
/usr/lib64/libSM.so.6.0.0
3d61509000-3d61609000 ---p 00009000 fd:00 25419056                      
/usr/lib64/libSM.so.6.0.0
3d61609000-3d6160a000 rw-p 00009000 fd:00 25419056                      
/usr/lib64/libSM.so.6.0.0
3d61700000-3d61716000 r-xp 00000000 fd:00 25419055                      
/usr/lib64/libICE.so.6.3.0
3d61716000-3d61816000 ---p 00016000 fd:00 25419055                      
/usr/lib64/libICE.so.6.3.0
3d61816000-3d61817000 rw-p 00016000 fd:00 25419055                      
/usr/lib64/libICE.so.6.3.0
3d61817000-3d6181b000 rw-p 3d61817000 00:00 0
3d62100000-3d6210b000 r-xp 00000000 fd:00 93389029                      
/lib64/libpam.so.0.81.1
3d6210b000-3d6220b000 ---p 0000b000 fd:00 93389029                      
/lib64/libpam.so.0.81.1
3d6220b000-3d6220c000 rw-p 0000b000 fd:00 93389029                      
/lib64/libpam.so.0.81.1
3d65100000-3d65105000 r-xp 00000000 fd:00 93389033                      
/lib64/libcrypt-2.3.90.so
3d65105000-3d65204000 ---p 00005000 fd:00 93389033                      
/lib64/libcrypt-2.3.90.so
3d65204000-3d65205000 r--p 00004000 fd:00 93389033                      
/lib64/libcrypt-2.3.90.so
3d65205000-3d65206000 rw-p 00005000 fd:00 93389033                      
/lib64/libcrypt-2.3.90.so
3d65206000-3d65234000 rw-p 3d65206000 00:00 0
3d65700000-3d65703000 r-xp 00000000 fd:00 15466555                      
/usr/lib64/libXxf86misc.so.1.1.0
3d65703000-3d65802000 ---p 00003000 fd:00 15466555                      
/usr/lib64/libXxf86misc.so.1.1.0
3d65802000-3d65803000 rw-p 00002000 fd:00 15466555                      
/usr/lib64/libXxf86misc.so.1.1.0
2b1d63f52000-2b1d63f53000 rw-p 2b1d63f52000 00:00 0
2b1d63f63000-2b1d63f6b000 rw-p 2b1d63f63000 00:00 0
2b1d63f6b000-2b1d63f75000 r-xp 00000000 fd:00 93388828                  
/lib64/libnss_files-2.3.90.so
2b1d63f75000-2b1d64074000 ---p 0000a000 fd:00 93388828                  
/lib64/libnss_files-2.3.90.so
2b1d64074000-2b1d64075000 r--p 00009000 fd:00 93388828                  
/lib64/libnss_files-2.3.90.so
2b1d64075000-2b1d64076000 rw-p 0000a000 fd:00 93388828                  
/lib64/libnss_files-2.3.90.so
2b1d64076000-2b1d64082000 r-xp 00000000 fd:00 93388812                  
/lib64/libgcc_s-4.1.0-20060121.so.1
2b1d64082000-2b1d64182000 ---p 0000c000 fd:00 93388812                  
/lib64/libgcc_s-4.1.0-20060121.so.1
2b1d64182000-2b1d64183000 rw-p 0000c000 fd:00 93388812                  
/lib64/libgcc_s-4.1.0-20060121.so.1
7fffffd30000-7fffffd46000 rw-p 7fffffd30000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]


Comment 5 Mamoru TASAKA 2006-01-23 19:37:23 EST
Yes. xscreensaver-4.23-1 leaves this problem unsolved
(for root).
Comment 6 Mamoru TASAKA 2006-02-10 16:58:32 EST
If Andy's problem is from what I pointed out, current rawhide
(xscreensaver-4.24-1) should fix this problem.
Comment 7 Mamoru TASAKA 2006-09-23 22:30:34 EDT
Perhaps this bug is already fixed in 4.24 .

Note You need to log in before you can comment on or make changes to this bug.